The BGW (Ben-Or, Goldwasser and Widgerson) protocol
allows $n$-party SFE with $\lfloor n/2 \rfloor -1$-privacy.
The security is information theoretic. We work in the honest-but-curious
model (the scheme can be modified to counter other threats).

The BGW protocol works on algebraic circuits. Any Boolean circuit can be
converted into a algebraic circuit by replacing $x\wedge y$ with $xy$ and
$x\vee y$ with $x+y-xy$.

Let $F(x_1,...,x_n)\in\mathbb{Z}_p[x_1,...,x_n]$. User $i$ has
$x_i \in\mathbb{F}_p$ and $F_1 = ... = F_u = F(x_1,...,x_n)$.
The communication turns out to be linear in the size of the circuit.

First we describe a couple of tricks that will be needed for the scheme.

Secret Sharing

Let $b\in\mathbb{F}_p$ be a secret.
We review a method of $t$-out-of-$n$ secret sharing due to Shamir ['81].
That is any $t$ of the $n$ users can reconstruct $b$ but $t-1$ cannot.

Pick a random degree $t-1$ polynomial such that $f(0)=b$.
User $i$ gets the share $b_i = f(i) \in\mathbb{F}_p$ for $i=1,...,n$.
If $t$ people get together, they can interpolate to get

Note that interpolation can be done when given $g^{f(u_i)}$ even when
the discrete logarithm problem is hard.

The scheme is secure because for any $b'\in\mathbb{F}_p$ and any $t-1$ users,
there exists a unique polynomial of degree $t-1$ with $g(0) = b'$ and
$g(u_i) = b_{u_i}$.

Proactive Secret Sharing

Suppose $b$ is shared in a $t$-out-of-$n$ fashion, so that user $i$ has
$b_i = f(i) \in\mathbb{F}_p$.
Every time period, we would like the users to execute a protocol to
refresh their shares without changing $b$. The idea is that an adversary would
have to compromise $t$ shares within one time period in order to get $b$.

To do this, we can have someone, say user 1, pick random polynomial $g$ of
degree $t-1$ such that $g(0) = 0$, and then send $y_j = g(j)$ to user $j$.
Each user $j$ then refreshes their share by computing
$b_j \leftarrow b_j + y_j$.

Then let $\bar{v_i}$ be the $i$th row of $A$. Then
$y_i = \bar{v_i}\bar{x} = \sum_{i=1}^n (v_i)_j x_j$.
Benaloh’s protocol
is an $(n-2)$-private protocol for $y_i$.

The BGW Protocol

Set $t = \lfloor (n-1) / 2 \rfloor$.
For $i=1,...,n$, user $i$ picks a random degree $t$ polynomial $f_i$ with
$f_i (0) = x_i$, and sends $f_i(j)$ to user $j$. Each user has a vector of
shares.
The gates are then evaluted one by one (in topological order).

For an addition gate $z = x + y$:
the arguments $x, y$ are already shared in a $(t+1)$-out-of-$n$
fashion, i.e. we have $x_1,...,x_n, y_1,...,y_n$ and user $i$ has $x_i, y_i$.
Then each user locally computes $z_i = x_i + y_i$, which means they now
hold shares of the answer $z$.

This transformation is linear, because we can find three matrices $A, B, C$
such that $ABC (z_1,...,z_n) = (z'_1,...,z'_n)$ as follows.
$C$ is the interpolation matrix (Fourier transform) that computes the
coefficients of $h$ from $z_1,...,z_n$. $B$ is the truncation operator
which is the identity matrix with some 1’s replaced by 0’s.
$A$ is
the evaluation matrix that evalutes $h'$ at $1,...,n$ (another Fourier
transform).

Thus Benaloh’s protocol can be used to compute $z'_1,...,z'_n$.
Lastly, $h'$ is not random, but this can be fixed by using
proactive secret sharing.

So addition gates are free, while multiplication gates require $O(n^2)$
communication, and all operations are done on shared values.
After all gates have been processed, every user publishes
their share.